要描述:4 h' x6 i9 p% }1 D7 y0 f
% |8 N9 C. ?: ]* ^ _SDCMS后台绕过直接进入:测试版本2.0 beta2 其他版本未测试, M9 M. E$ \% Q& G! c# e$ U: J8 c
详细说明:) a$ I! ?/ q2 q3 z
Islogin //判断登录的方法
5 g6 O' ?# U3 O: Y& X% ^) {
, `7 O' _! b, s [/ ^7 Y' osub islogin()
8 v' ]* k7 g3 K2 a+ X" Q " m/ Y+ j% C# ], `5 f, }3 i
if sdcms.strlen(adminid)=0 or sdcms.strlen(adminname)=0 then
+ M. e: @& e+ g( N 2 N9 h; G. c! X7 h; ~
dim t0,t1,t2
0 o+ P6 F7 G9 _$ f9 `) P7 I2 r! T 0 k5 J. V% q5 k* P( v
t0=sdcms.getint(sdcms.loadcookie("adminid"),0) loadcookie
! J& I( O' P! B9 p+ f
' J$ \3 _) u6 K) Q# b [, _; n9 Vt1=sdcms.loadcookie("islogin")& W8 F% p3 \6 s8 v0 E) Q/ r; u& F
$ g2 V6 y9 p2 b F3 N; F; f
t2=sdcms.loadcookie("loginkey")
f8 Y8 X. c6 X! ~5 _- B( m + B1 ~: ]4 p. @* R
if sdcms.strlen(t0)=0 or sdcms.strlen(t1)=0 or sdcms.strlen(t2)<>50 then //这里判断很坑爹 sdcms.strlen(t2)<>50 loginkey 没有任何要求 只需要输入50个即可往下执行
: l% |. s7 J% T w! ~; D; ]! B 5 q& q; U: J# d3 Y! v
//
0 w+ E: x$ |5 |; d! Z/ k0 y+ v % E" k- f( O1 C: U
sdcms.go "login.asp?act=out"
4 D% e9 W! c! q. [& M- ?" B
9 x" Q* T- A& _. a4 uexit sub# o& s+ p& K$ ]* s
& F H; [( v2 b8 |. r9 X- A( Celse: Y& Y- I( }0 s: k9 V
& C0 _6 S$ H# H' n& n
dim data
7 j/ K K c7 X! a9 z, t) K
/ L7 s4 ~4 C5 x3 O- r4 Y$ Cdata=sdcms.db.dbload(1,"adminid,adminname,adminpass,islock,groupid,g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&t0&"","") //根据管理员ID查询 ID可控# I, k3 Y& h3 P4 F5 l) `3 Q: \1 J
+ s: ^5 D& O0 H1 M* j1 ?
if ubound(data)<0 then4 v& q' L) X3 U6 q5 q
" o5 y" {. ]& V8 x- r asdcms.go "login.asp?act=out"
6 }- ]+ w8 r. @4 X
% J& o( c% K/ R. C) o6 a6 A2 z7 ^exit sub
* N I& Y+ ? T F
1 @/ z8 t0 i3 r8 x: {else
- J3 ~# f$ S' m9 ?- L6 A1 \
/ q$ ^' h! f$ ^, _# J/ kif instr(data(1,0)&data(2,0),sdcms.decrypt(t1,t2))<0 or data(3,0)=0 then b( \! i5 U# \2 E+ H" q9 [' ]
! x) s, v* `5 F: Asdcms.go "login.asp?act=out"% u# n0 ~- @$ ~
1 t0 f' Y9 l) o+ p1 ~. n
exit sub- T8 o% D/ G j4 Z" p1 Z5 w
& G2 o# s* @) @/ Aelse+ @7 U' w c* K* k
0 b8 k. S" U# {& r, o
adminid=data(0,0)5 b: f: i9 y, M% t' {/ Q' w* _. H
- v% O0 r* G+ c6 _4 G$ C
adminname=data(1,0)
7 }: ]5 a% @1 F0 F* b0 Y - U; s( V; z) e' b
admin_page_lever=data(5,0)2 @: Z* F8 R6 u/ g: D8 R+ ^9 s
" |- I6 L+ W) m5 M/ D2 Hadmin_cate_array=data(6,0). N5 i$ y5 l2 z! i9 b8 N
, w. j* G4 q$ p5 `admin_cate_lever=data(7,0)5 h0 m2 ?# L2 e w
/ y8 y% D8 r; {9 M
if sdcms.strlen(admin_page_lever)=0 then admin_page_lever=09 F3 K" m5 Q7 i% U
, B7 N' n/ [+ w) ^0 H5 v
if sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0 [) G, u) D# C
6 i+ e) M# }1 O8 {7 F# B
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0$ \0 Z; L" `6 P; h$ e0 [
, E3 E7 Y* ~1 H) R9 t" rif clng(admingroupid)<>0 then
' h' y9 o& E+ @ d s4 _ 1 [* O$ y; X, i4 m# P: [ p4 h; N; {% U
admin_lever_where=" and menuid in("&admin_page_lever&")", x2 M" a i' v- u- ^
# Q9 R1 h5 C, M$ }+ L
end if6 g& K1 u4 \: L+ _) s0 S( K
; H8 U q) R: h% }2 V
sdcms.setsession "adminid",adminid
& ^- N3 }$ x/ W1 F ; P* P, b5 k9 _, u
sdcms.setsession "adminname",adminname
3 f9 Q) I* ~$ M+ |) F 5 l* B+ n2 Z! P& |
sdcms.setsession "admingroupid",data(4,0)& ?6 r3 g Q6 l9 A6 r" @& ~
1 k6 W1 Q- ]9 V2 r+ \end if1 R& ^4 H1 e9 ?& B( Y
9 p* }/ c" `. T% A( V2 @
end if
$ D0 |0 W- T7 q" Q' Y% `! T* J : k) h6 z8 A7 p6 N4 e+ m4 _
end if9 J: n" u9 C3 v8 w3 s: B
; o9 H" e& s5 t5 e7 b5 v
else! r8 H" v# w. E
; B& `9 Z4 n5 {; ^/ o, Y3 gdata=sdcms.db.dbload(1,"g.pagelever,g.catearray,g.catelever","sd_admin u left join sd_admin_group g on u.groupid=g.id","adminid="&adminid&"","")( L2 P; Y5 W' G$ Z
( \4 i9 C' N8 p9 o) C' Sif ubound(data)<0 then
" O9 ^" |8 j2 _6 I, y6 f% P 3 W9 V0 |' I# ~% ]3 A# U% h a" R+ \& m
sdcms.go "login.asp?act=out"* b2 g4 `$ p$ L% x0 h2 d
) B* G6 |# H1 W# v: a% [8 c$ {exit sub
3 v- [$ l% Q7 g- k / q5 }+ {* L5 ^' R1 Y, k1 k
else
2 k3 e, L) A; o% J" ~6 j. T+ O4 o
- B- J$ o' ]- vadmin_page_lever=data(0,0)1 Y3 Q# B6 a. i( d. R, B
! z# t% F4 ]0 r ?
admin_cate_array=data(1,0)
2 S; D5 C" V, b5 U O- g $ r3 x1 o3 G1 {; t/ x
admin_cate_lever=data(2,0)1 W: _8 q* {& v/ O0 c% n
9 N' n7 x/ j* f: d. ? oif sdcms.strlen(admin_page_lever)=0 then admin_page_lever=0
7 T6 y5 c5 e% x/ x
* m" @. T& M2 v- ~* e+ }6 g/ zif sdcms.strlen(admin_cate_array)=0 then admin_cate_array=0
4 z8 C' V5 ^' k7 a ) Z& s+ `2 _. e- H0 w
if sdcms.strlen(admin_cate_lever)=0 then admin_cate_lever=0
0 `' B/ o# |; M! G. W0 i
+ P3 Y1 w1 e; v! ]: M2 q9 dif clng(admingroupid)<>0 then, b, [6 x k( B* ]
! H7 P* }7 U% ]: M
admin_lever_where=" and menuid in("&admin_page_lever&")"/ w0 A L; Z5 f8 R4 ~6 ]
' @ K/ x: M+ B3 V' p7 m" y- p
end if
0 H }$ r, g/ u2 |9 n2 o % r- z; |/ C/ J/ U: Z
end if- z/ W( E0 C1 g# S; L% h
6 R# o' _0 |$ z( a6 f5 n) F
end if
# I F. i# s; K) ]% G. C$ a ! `, i0 ^/ a8 w6 B5 V; c3 u
end sub" A0 ]; J' G# C
漏洞证明:( }. L6 {$ Z. S8 i
看看操作COOKIE的函数" u- c. L) h1 D& L$ O/ i
) ?: G0 Y2 }7 X# Z0 dpublic function loadcookie(t0)
, A9 U; c$ b5 _$ u- L6 x3 h% ?$ \ * f) {4 {; o( m" p/ c
loadcookie=request.cookies(prefix&t0)
, r& C2 [. t% C8 L { 1 N+ p- Y5 }/ V- P+ j8 V
end function
6 M* s: `5 A( B4 L " ^6 U2 b1 m5 {. j: u4 _5 p" v# [
public sub setcookie(byval t0,byval t1)
& Y3 Y) g0 W! f8 q/ d# S
- y5 G* H4 Y0 kresponse.cookies(prefix&t0)=t1
7 t- k+ h' U5 ~" a$ f( \! W
! ^2 r2 ?" K, M& ~& K6 v: s. X8 @end sub
% h5 |3 i9 M1 ~4 j; D4 ~6 T4 G 1 F W! U4 {" w
prefix
( D& c. [( ^& C
7 t" h4 {, ^! C' B# A'变量前缀,如一个空间下多次使用本程序的话,请每个程序配置不同的值 w: |( ?8 Z9 m" R, l- C
. N/ {* J& t9 g) W4 B4 D
dim prefix
1 J( W. ~# j# \8 [& F ) D1 k9 r; ?* R9 m e
prefix="1Jb8Ob"
2 x2 p+ v6 Z; i/ z* I9 D 0 [! h$ I, ]! ?9 j- {& ]
'这个值访问一下admin/login.asp?act=out 便可得到 在COOKIE里 0 i* e5 S+ P" F8 E6 l9 L0 c" o
$ v# C/ V2 U' G( lsub out
# C3 C" j. k$ K: ^8 [0 f
# p" h( s+ h. S) vsdcms.setsession "adminid",""
: ?0 o! h, L8 x. v6 B - W/ O, p5 F% V; ]; t3 O7 _; e
sdcms.setsession "adminname",""
2 A, t: x; G3 H
2 ]9 {7 t6 P& Lsdcms.setsession "admingroupid",""
J% S$ @& N% G: Z& ]' |$ q J 3 o5 X4 ~* O8 z- o+ Z
sdcms.setcookie "adminid",""
. @# C) O! n$ _; O* ~0 A
1 X" O7 Q! C2 i, N6 C1 Nsdcms.setcookie "loginkey",""
3 }5 b% p5 w3 o( [' B6 t
. B7 J) G6 ~6 l# C% f% Ssdcms.setcookie "islogin",""( u2 u0 |# d1 X& m
' N+ U Z: T9 ?" U& m2 N! d
sdcms.go "login.asp"
; N- x& \8 H! { 7 m% n6 f- j: e
end sub
3 r4 J4 Z$ K7 B 8 k% i$ \* d) u2 Y- Z
+ O" L% [7 J. v3 \3 a/ O' Y! }) y# B
利用方法:设置cookie prefixloginkey 50个字符 prefixislogin 随意 循环下prefixadminid 即可 默认1 然后访问后台,就可以了!
& J1 c# b7 p) G" X8 D2 Z: O修复方案:
2 K+ R. F) z! X3 D( l6 M6 q修改函数!% { [1 P. c6 k \
|
发表于 2013-7-26 12:42:43
收藏
支持
反对